Customer clicking suspicious links despite warnings can't blame bank for losing money to cyberfraud: Delhi HC

The Delhi High Court recently observed that bank customers who click on suspicious links sent by fraudsters, despite security warnings not to so, are also to blame when they lose money through such cyber attacks [SBI v Hare Ram Singh & Anr].

The Court rejected an argument that the customer cannot be termed negligent merely on claims that he had not shared any One Time Passwords (OTPs) sent by the bank during the transaction.

Notably, a 2017 circular issued by the Reserve Bank of India (RBI) exempts banks from being liable for the loss of a customer's money through cyberfraud if it is found that the customer was negligent by sharing his payment credentials. In such cases, the customer has to bear the entire loss until the fraud is reported to the bank.

A Bench of Chief Justice Devendra Kumar Upadhyaya and Justice Tejas Karia has ruled that a customer can be termed negligent if he does not heed a bank's warnings against clicking on suspicious links.

"The expression 'such as where he has shared the payment credentials' occurring in Clause 7(i) of the 2017 RBI Circular is plainly illustrative and not exhaustive; it does not confine customer negligence only to cases of express disclosure of payment credentials (or sharing of OTP/ login details). In the context of digital banking and cyber fraud, negligence may equally arise where a customer, despite repeated advisories and security warnings, accesses suspicious or unknown links, thereby compromising the security of the banking credentials," the Court said.

The Court made the observation in a case where an academic lost ₹2,60,000 from his State Bank of India (SBI) savings account through a voice phishing or vishing scam.

He had initially received a message asking him to click a link to ensure that some bank services are not disrupted. He also received a call with a similar message. After he clicked the sent links, he lost money through two transactions before he was able to call his bank and block his account.

SBI refused to refund the amount, noting that the transactions were made using valid login credentials and since the bank had sent OTPs to flag that that the money transfer was being requested.

An RBI banking ombudsman partially agreed with SBI's stance, but directed the bank to give the customer one-third of the lost amount.

The customer then approached the High Court, seeking a full refund.

A single-judge Bench ruled in his favour after noting the customer's assertion that even though he may have received some OTPs, he never shared the same with anyone. The customer had argued that this indicated that the cyberfraud took place without any need for OTPs, meaning that there was a security flaw that the bank should be held responsible for. The single-judge Bench found merit in these arguments and ordered SBI to refund the entire amount to the customer with interest.

SBI challenged this ruling before a Division Bench of the High Court.

The Division Bench set aside the single-judger order, holding that the customer could not show how the bank had failed to comply with RBI's regulatory safeguards.

It also questioned the single-judge's decision to rely on the customer's claim that he had not shared any OTPs, as well as its subsequent conclusion that the customer was not negligent and the bank was to blame.

The Court noted that such claims have to be proved by a detailed forensic examination, which is not possible for a High Court to do in the exercise of its writ jurisdiction.

"The issues considered by the learned Single Judge, particularly whether the user ID and password of the INB profile linked to the Bank Account or the OTPs were compromised following interaction with a suspicious link received from an unknown source; whether negligence was attributable to (the customer); whether security protocols such as 2FA or OTP verification had been breached by malware deployed by cyber fraudsters; and whether the security apparatus of the Appellant-Bank failed to detect unusual login activity from a different Internet Protocol Address allegedly used by the fraudsters, are matters that necessarily require technical and forensic examination and adjudication on evidence and could not have been conclusively determined in exercise of writ jurisdiction," the Division Bench said.

The Court went on to hold that the customer's negligence in digital banking fraud cannot be restricted only to disclosing OTPs, but would also include clicking on suspicious links from unknown sources despite repeated advisories and warnings from the RBI and the bank.

Before a bank can be blamed in such cases of cyberfraud, there must also been material to indicate that it has not complied with RBI-prescribed security protocols, the Court added.

The Court observed that no such breach has yet been proved when it came to SBI's system in this case.

The Court, therefore, disagreed with the single judge's decision to shift the entire blame to the bank.

"The observations in the Impugned Judgment to the effect that (the customer) 'cannot be said to be negligent in any manner' and that the Subject Transactions occurred solely on account of deficiency attributable to the Appellant-Bank are, in our opinion, ordinarily could not have been returned in the absence of any technical or forensic examination and are, moreover, not in consonance with the framework contemplated under the 2017 RBI Circular."

Therefore, the Court allowed SBI's appeal and set aside the single judge Bench judgment.

SBI was represented by Senior Advocate Harin P Raval, along with Advocates Rajiv Kapur, Akshit Kapur, Riya Sood, and Shreya Bansal. The bank's Chief Manager Karnik Pandya and Chief Manager (Law) HK Kataria also assisted in the case.

The customer was represented by Advocates Ravi Chandra Prakash and
Purushottam S Tripathi.

The RBI was represented by Advocates Atul Sharma, Abhinav Sharma, Mr. Ayush Srivastava Snehashish.

[Read Judgment]